Azure SubDomain Link to Appservice - azure

I have domain example.com I bought in azure.And I have two appservices app1 and app2.
I can link example.com to app1
But I want to link example.com/one to app1(appservices)
and example.com/two to app2(appservices).
Can anyone plz suugest me how to do this in Microsoft Azure

Using Azure Application Gateway and creating the relevant routing rules would be a good way to do this.
Here's a quick screenshot from Microsoft Docs which talks about a similar scenario..
Do know that there is price associated with it (and a lot of other features). So you may need to evaluate a bit.
Application Gateway Pricing

You will need to assign the custom domain to a load balancer. Azure App Gateway supports URL based routing. Since Azure App Services are multi-tenant you will need to follow these docs to configure App Gateway with an App Server. This is a great solution for single region applications.
If you need mutli-region support, check out our new Azure Front Door Service. Azure Front Door Service enables you to define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability. With Front Door, you can transform your global (multi-region) consumer and enterprise applications into robust, high-performance personalized modern applications, APIs, and content that reach a global audience with Azure.

Related

Azure - Allow access to a website deployed on Azure App Service only for a single country

I have website deployed on Azure App Service and I want to restrict access to my website from any other country accessing it but only a specific country can access that website.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Even though AppService does not provide, Yes this can be done with Azure CDN provider does via the Geo Level Filtering. More details can be found here.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Agree with Sajeetharan. It seems Azure Web App could not restrict the access just by country directly. You can have a try with Azure CDN, it can restrict the access by country.
But, as the comment you said, you do not have to restrict CDN, in this case, you can consider to restrict IP addressees in Azure. You can also use IP Restrictions menu in Azure app services to add restrictions:
You can check the document Azure App Service Access Restrictions for some more details.
Besides, you can try to use web.config or use IP restrictions feature of the webapp:
Check this thread for some more info.
Hope this helps.
Answer is: Azure Front Door with Front Door WAF policy
After going through with different Microsoft documentation I finally implemented the solution with Azure Front Door where you can set Frontend hosts and Backend pools with forwarding/redirecting. And in Frontend hosts, you can select WAF policy.
In the backend pool, you can select any application e.g. App Service or any IP where your app is deployed.
In WAF policy there are multiple options to restrict your traffic and one of them is geolocation restriction.
Just apply geolocation restriction according to your desired country and it will work like a charm.

Azure - Connecting multiple app service containers with custom domain and ssl

I am getting to the point of my project where I am ready to deploy it online with my custom domain via Azure once I make the upgrade from my Free Subscription.
So a little context, I have 1 web app service and 4 api services and each one is hosted in a separate app service such as:
www.sitename.azurewebsites.net
www.sitename-api1.azurewebsites.net
www.sitename-api2.azurewebsites.net
www.sitename-api3.azurewebsites.net
www.sitename-api4.azurewebsites.net
And the above web app communicates to all 4 api's and some api's may or may not talk to another. (Would have loved an application gateway so hopefully I'll be changing this architecture later down the road).
So as I get ready to associate my domain to the services, the web container seems pretty straight forward to me as it just becomes www.sitename.com, but I am a little confused about the api services. The way I am thinking about this is that each api service will be in it's own subdomain, such as:
www.api1.sitename.net
www.api2.sitename.net
www.api3.sitename.net
www.api4.sitename.net
where I believe I can register my SSL and domain to each app service somehow, but this leaves me with a few questions.
Do I host each api in a subdomain using the same domain as the web
app, or is there a different way preferred like where I host them
all on the same domain with different exposed ports per API and web
listening 80/443, or maybe just use the IP address of the api app
service and allow www.sitename.com as the origin for CORS?
I am assuming that since I am associating my SSL cert to the web
service, I will need to do the following on the api services?
Would it be better (and still affordable) if I just had a VNET
associated to the app services and the domain only registered with
the web app?
Any insight into this would be greatly appreciated on how I can establish communication between my app services with my custom domain and SSL as I am fairly new to this part of the stack, but excited about learning!
As I known, on Azure cloud, there are two services can help to manage your APIs deployed on multiple app service containers: API Management and Application Gateway.
The Premium tier of API Management has the feature for multiple custom domain names, please see the offical document Feature-based comparison of the Azure API Management tiers as the figure below.
You can refer to the quick start tutorial of Create a new Azure API Management service instance and other related documents to kown how to.
"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications." said in the introduce What is Azure Application Gateway?. And as the figure of its architecture below, "With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. For example, you can route traffic based on the incoming URL. So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is routed to another pool that's optimized for videos."
I recommended to use Azure Application Gateway which be a good choice to manage multiple app services and expose the unified urls of APIs.

How to achieve High Availability for multiple App Services in Azure

I have 2 same Web App and I have added them to application gateway's backed pool in Azure.
I have one domain for the application Gateway and I can bind only one web app to it.
Is there any way to add 2 Web App with the same domain of application gateway?
If not, then any other way to achieve high availability for Web Apps?
I want that if one Web App is not reachable, the traffic should go to other Web App. The Web Apps are not stateless and therefore ruled out the use of Traffic Manager Profile due to lack of Session Persistence.
I have gone through various questions mentioned below on the same topic, but none is related or have satisfactory solution.
- DNS: High Availability with Azure Web Apps + Traffic Manager
- Achieving High Availability using Azure Traffic Manager
- Is it possible that one domain name has multiple corresponding IP addresses?
For App Service, Application Gateway cannot be used for Load balancing Purpose. You can use Application Gateway as WAF. In your scenario, as Thomas stated, AFD would be the best option.
You can leverage the priority option which can be configured while adding App Service to the backend pool to achieve your ask.
You can assign priorities to your different backends when you want to use a primary service backend for all traffic, and provide backups in case the primary or the backup backends are unavailable.
In this case, when the probe to the Primary goes down, then the traffic will be routed to the secondary Web App.
Reference: https://learn.microsoft.com/en-in/azure/frontdoor/front-door-routing-methods

should I choose azure application gateway or load balancer or front door or traffic manager?

I have a SaaS web app developed with Angular 8 and Asp.net Core Web API. I have deployed web api to a azure web app and deployed angular front-end web app to another azure web app as well.
The users are from China and Australia and other countries. I want to have region load balance like Chinese users uses web app on china azure region and australian users use Australian azure region web app so that it has best performance. Azure SQL DB will be in one place (in australia).
In addition, i want to prevent attacking to web front app and web api like d-dos, web scraping and SQL injection. For web scraping, i want to add access rate limitation from one ip.
Can you please advise what service i should use? I saw the blog talking about azure application gateway, azure load balancer, azure front door and azure traffic manager. It is a bit confusing to me. I need a best practise based on my this real world scenario. Should I use one of the service or should I use multiple services?
Based on your requirement:
Since the Backend Resource is Web App, you can ignore Load balancer (Layer 4) where you can only add VMs or VMSS
Your another requirement is WAF, and it is only available in AFD and AppGW. But you can use Traffic Manager as first Tier Load balancing and have AppGW in the different regions to provide high resilience.
As you want users from specific country to reach nearest backend resource, it seems like, the best solution for you is AFD.
AFD is a global Load balancer. It has WAF capability. It can Cache the data and provide quicker responses(CDN functionality). AFD uses an intelligent probing mechanism, through which it chooses the endpoint which is closer to the client who is making the request.
Hope this helps.

3-Tier Web App in Azure Web Apps

In a typical 3-Tier web app, you run web servers in public subnet, while app tier lives in private subnet. Is it possible to run similar architecture with Azure Web apps and Api apps?
I guess you can run Asp.NET Core Web App in Azure Web App and Deploy AspNet Core Web Api to Azure Api App, then make Api end point private so only Web app can talk to it? I see options like Google, Facebook et. as auth providers. Is that what you have to do to make API private?
D.
If you want that level of isolation, one (although expensive) option is an App Service Environment (ASE). Link to docs: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
App Service Environments are ideal for application workloads requiring:
Very high scale
Isolation and secure network access
The public environment where you deploy by default is public. Your endpoints will be accessible to anyone anywhere, and it is up to your app to do the filtering. This can be done, e.g. through static IP address security settings in Web.config. The problem with that is that even then you can't know for sure what IP address your front-end will use for communication. There are multiple possible addresses it may use for outbound traffic, and those are subject to possible change.
You can see an example of IP restrictions here: restricting IP security
Of course you should also have authentication set up on your API. Documentation links:
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://learn.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication
In line with what #juunas said above and a slight variant is to introduce Azure API Management Gateway in between Azure web app and Azure Api app. In standard tier API Gateway the IP address is fixed and doesn't change and you can use the API Gateway address in Azure API App web.config to whitelist.

Resources